Webhooks

Info: Webhooks are available on the Business plan.

Webhooks allow you to receive real-time notifications when events happen in your Rekivo organization. Instead of polling the API, you register an endpoint URL and Rekivo sends HTTP POST requests to it whenever subscribed events occur.

Setting up webhooks

Go to Settings

Navigate to the Webhooks section in your organization settings.

Add an endpoint

Enter the URL of your webhook receiver and select the events you want to subscribe to. Rekivo generates a signing secret for you.

Save the signing secret

Copy and store the signing secret securely. You will need it to verify incoming webhook payloads. The secret is only shown once at creation time.

Events

You can subscribe to any combination of the following events:

Event	Trigger
invoice.created	A new invoice is received via email or uploaded manually
invoice.status_changed	An invoice's workflow status changes (e.g. New → Approved)
invoice.deleted	An invoice is deleted
export.completed	An export archive finishes generating

Payload format

All webhook deliveries are HTTP POST requests with a JSON body:

{
  "event": "invoice.created",
  "timestamp": "2026-03-15T14:30:00.000Z",
  "data": {
    "invoiceId": "clx1abc...",
    "format": "XRechnung UBL",
    "sender": "Supplier GmbH"
  }
}

The payload structure in data varies by event type.

Verifying signatures

Every webhook request includes an X-Rekivo-Signature header containing an HMAC-SHA256 signature of the request body, signed with your endpoint's secret.

X-Rekivo-Signature: sha256=a1b2c3d4e5f6...

To verify a webhook delivery:

Read the raw request body as a string.
Compute the HMAC-SHA256 of the body using your signing secret.
Compare your computed signature to the value in the X-Rekivo-Signature header.

Warning: Always verify the signature before processing a webhook. This ensures the request actually came from Rekivo and has not been tampered with.

Additional headers

Header	Description
X-Rekivo-Event	The event type (e.g. `invoice.created`)
X-Rekivo-Delivery	Unique delivery ID for idempotency
X-Rekivo-Signature	HMAC-SHA256 signature of the body

Delivery behavior

Rekivo waits up to 10 seconds for your endpoint to respond.
A response with a 2xx status code is considered successful.
Any other response (timeout, connection error, 4xx, 5xx) is marked as failed.
Failed deliveries are not retried automatically. You can view delivery history and send test events from the settings page.

Limits

Up to 5 webhook endpoints per organization.
Webhook URLs must use HTTPS in production.
Delivery payloads are limited to the first 1000 characters of your endpoint's response for debugging.

Testing

You can send a test event from the webhook settings page to verify that your endpoint is reachable and correctly verifying signatures. The test event uses the invoice.created event type with sample data.